parent
584fe4fb93
commit
758269e3d8
|
@ -154,7 +154,7 @@ func signupWithRegistration(app *App, signup userRegistration, w http.ResponseWr
|
||||||
Created: time.Now().Truncate(time.Second).UTC(),
|
Created: time.Now().Truncate(time.Second).UTC(),
|
||||||
}
|
}
|
||||||
if signup.Email != "" {
|
if signup.Email != "" {
|
||||||
encEmail, err := data.Encrypt(app.keys.emailKey, signup.Email)
|
encEmail, err := data.Encrypt(app.keys.EmailKey, signup.Email)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Unable to encrypt email: %s\n", err)
|
log.Error("Unable to encrypt email: %s\n", err)
|
||||||
} else {
|
} else {
|
||||||
|
|
7
app.go
7
app.go
|
@ -37,6 +37,7 @@ import (
|
||||||
"github.com/writeas/web-core/log"
|
"github.com/writeas/web-core/log"
|
||||||
"github.com/writeas/writefreely/author"
|
"github.com/writeas/writefreely/author"
|
||||||
"github.com/writeas/writefreely/config"
|
"github.com/writeas/writefreely/config"
|
||||||
|
"github.com/writeas/writefreely/key"
|
||||||
"github.com/writeas/writefreely/migrations"
|
"github.com/writeas/writefreely/migrations"
|
||||||
"github.com/writeas/writefreely/page"
|
"github.com/writeas/writefreely/page"
|
||||||
)
|
)
|
||||||
|
@ -69,13 +70,17 @@ type App struct {
|
||||||
db *datastore
|
db *datastore
|
||||||
cfg *config.Config
|
cfg *config.Config
|
||||||
cfgFile string
|
cfgFile string
|
||||||
keys *Keychain
|
keys *key.Keychain
|
||||||
sessionStore *sessions.CookieStore
|
sessionStore *sessions.CookieStore
|
||||||
formDecoder *schema.Decoder
|
formDecoder *schema.Decoder
|
||||||
|
|
||||||
timeline *localTimeline
|
timeline *localTimeline
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (app *App) SetKeys(k *key.Keychain) {
|
||||||
|
app.keys = k
|
||||||
|
}
|
||||||
|
|
||||||
// handleViewHome shows page at root path. Will be the Pad if logged in and the
|
// handleViewHome shows page at root path. Will be the Pad if logged in and the
|
||||||
// catch-all landing page otherwise.
|
// catch-all landing page otherwise.
|
||||||
func handleViewHome(app *App, w http.ResponseWriter, r *http.Request) error {
|
func handleViewHome(app *App, w http.ResponseWriter, r *http.Request) error {
|
||||||
|
|
|
@ -29,6 +29,7 @@ import (
|
||||||
"github.com/writeas/web-core/log"
|
"github.com/writeas/web-core/log"
|
||||||
"github.com/writeas/web-core/query"
|
"github.com/writeas/web-core/query"
|
||||||
"github.com/writeas/writefreely/author"
|
"github.com/writeas/writefreely/author"
|
||||||
|
"github.com/writeas/writefreely/key"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -44,7 +45,7 @@ var (
|
||||||
|
|
||||||
type writestore interface {
|
type writestore interface {
|
||||||
CreateUser(*User, string) error
|
CreateUser(*User, string) error
|
||||||
UpdateUserEmail(keys *Keychain, userID int64, email string) error
|
UpdateUserEmail(keys *key.Keychain, userID int64, email string) error
|
||||||
UpdateEncryptedUserEmail(int64, []byte) error
|
UpdateEncryptedUserEmail(int64, []byte) error
|
||||||
GetUserByID(int64) (*User, error)
|
GetUserByID(int64) (*User, error)
|
||||||
GetUserForAuth(string) (*User, error)
|
GetUserForAuth(string) (*User, error)
|
||||||
|
@ -219,8 +220,8 @@ func (db *datastore) CreateUser(u *User, collectionTitle string) error {
|
||||||
|
|
||||||
// FIXME: We're returning errors inconsistently in this file. Do we use Errorf
|
// FIXME: We're returning errors inconsistently in this file. Do we use Errorf
|
||||||
// for returned value, or impart?
|
// for returned value, or impart?
|
||||||
func (db *datastore) UpdateUserEmail(keys *Keychain, userID int64, email string) error {
|
func (db *datastore) UpdateUserEmail(keys *key.Keychain, userID int64, email string) error {
|
||||||
encEmail, err := data.Encrypt(keys.emailKey, email)
|
encEmail, err := data.Encrypt(keys.EmailKey, email)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Couldn't encrypt email %s: %s\n", email, err)
|
return fmt.Errorf("Couldn't encrypt email %s: %s\n", email, err)
|
||||||
}
|
}
|
||||||
|
@ -1780,7 +1781,7 @@ func (db *datastore) ChangeSettings(app *App, u *User, s *userSettings) error {
|
||||||
|
|
||||||
// Update email if given
|
// Update email if given
|
||||||
if s.Email != "" {
|
if s.Email != "" {
|
||||||
encEmail, err := data.Encrypt(app.keys.emailKey, s.Email)
|
encEmail, err := data.Encrypt(app.keys.EmailKey, s.Email)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Couldn't encrypt email %s: %s\n", s.Email, err)
|
log.Error("Couldn't encrypt email %s: %s\n", s.Email, err)
|
||||||
return impart.HTTPError{http.StatusInternalServerError, "Unable to encrypt email address."}
|
return impart.HTTPError{http.StatusInternalServerError, "Unable to encrypt email address."}
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
* Copyright © 2019 A Bunch Tell LLC.
|
||||||
|
*
|
||||||
|
* This file is part of WriteFreely.
|
||||||
|
*
|
||||||
|
* WriteFreely is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License, included
|
||||||
|
* in the LICENSE file in this source code package.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Package key holds application keys and utilities around generating them.
|
||||||
|
package key
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
EncKeysBytes = 32
|
||||||
|
)
|
||||||
|
|
||||||
|
type Keychain struct {
|
||||||
|
EmailKey, CookieAuthKey, CookieKey []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateKeys generates necessary keys for the app on the given Keychain,
|
||||||
|
// skipping any that already exist.
|
||||||
|
func (keys *Keychain) GenerateKeys() error {
|
||||||
|
// Generate keys only if they don't already exist
|
||||||
|
var err, keyErrs error
|
||||||
|
if len(keys.EmailKey) == 0 {
|
||||||
|
keys.EmailKey, err = GenerateBytes(EncKeysBytes)
|
||||||
|
if err != nil {
|
||||||
|
keyErrs = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(keys.CookieAuthKey) == 0 {
|
||||||
|
keys.CookieAuthKey, err = GenerateBytes(EncKeysBytes)
|
||||||
|
if err != nil {
|
||||||
|
keyErrs = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(keys.CookieKey) == 0 {
|
||||||
|
keys.CookieKey, err = GenerateBytes(EncKeysBytes)
|
||||||
|
if err != nil {
|
||||||
|
keyErrs = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return keyErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateBytes returns securely generated random bytes.
|
||||||
|
func GenerateBytes(n int) ([]byte, error) {
|
||||||
|
b := make([]byte, n)
|
||||||
|
_, err := rand.Read(b)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return b, nil
|
||||||
|
}
|
28
keys.go
28
keys.go
|
@ -11,8 +11,8 @@
|
||||||
package writefreely
|
package writefreely
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/rand"
|
|
||||||
"github.com/writeas/web-core/log"
|
"github.com/writeas/web-core/log"
|
||||||
|
"github.com/writeas/writefreely/key"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
@ -20,8 +20,6 @@ import (
|
||||||
|
|
||||||
const (
|
const (
|
||||||
keysDir = "keys"
|
keysDir = "keys"
|
||||||
|
|
||||||
encKeysBytes = 32
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -30,9 +28,6 @@ var (
|
||||||
cookieKeyPath = filepath.Join(keysDir, "cookies_enc.aes256")
|
cookieKeyPath = filepath.Join(keysDir, "cookies_enc.aes256")
|
||||||
)
|
)
|
||||||
|
|
||||||
type Keychain struct {
|
|
||||||
emailKey, cookieAuthKey, cookieKey []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
func initKeyPaths(app *App) {
|
func initKeyPaths(app *App) {
|
||||||
emailKeyPath = filepath.Join(app.cfg.Server.KeysParentDir, emailKeyPath)
|
emailKeyPath = filepath.Join(app.cfg.Server.KeysParentDir, emailKeyPath)
|
||||||
|
@ -42,12 +37,12 @@ func initKeyPaths(app *App) {
|
||||||
|
|
||||||
func initKeys(app *App) error {
|
func initKeys(app *App) error {
|
||||||
var err error
|
var err error
|
||||||
app.keys = &Keychain{}
|
app.keys = &key.Keychain{}
|
||||||
|
|
||||||
if debugging {
|
if debugging {
|
||||||
log.Info(" %s", emailKeyPath)
|
log.Info(" %s", emailKeyPath)
|
||||||
}
|
}
|
||||||
app.keys.emailKey, err = ioutil.ReadFile(emailKeyPath)
|
app.keys.EmailKey, err = ioutil.ReadFile(emailKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -55,7 +50,7 @@ func initKeys(app *App) error {
|
||||||
if debugging {
|
if debugging {
|
||||||
log.Info(" %s", cookieAuthKeyPath)
|
log.Info(" %s", cookieAuthKeyPath)
|
||||||
}
|
}
|
||||||
app.keys.cookieAuthKey, err = ioutil.ReadFile(cookieAuthKeyPath)
|
app.keys.CookieAuthKey, err = ioutil.ReadFile(cookieAuthKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -63,7 +58,7 @@ func initKeys(app *App) error {
|
||||||
if debugging {
|
if debugging {
|
||||||
log.Info(" %s", cookieKeyPath)
|
log.Info(" %s", cookieKeyPath)
|
||||||
}
|
}
|
||||||
app.keys.cookieKey, err = ioutil.ReadFile(cookieKeyPath)
|
app.keys.CookieKey, err = ioutil.ReadFile(cookieKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -85,7 +80,7 @@ func generateKey(path string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info("Generating %s.", path)
|
log.Info("Generating %s.", path)
|
||||||
b, err := generateBytes(encKeysBytes)
|
b, err := key.GenerateBytes(key.EncKeysBytes)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("FAILED. %s. Run writefreely --gen-keys again.", err)
|
log.Error("FAILED. %s. Run writefreely --gen-keys again.", err)
|
||||||
return err
|
return err
|
||||||
|
@ -98,14 +93,3 @@ func generateKey(path string) error {
|
||||||
log.Info("Success.")
|
log.Info("Success.")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// generateBytes returns securely generated random bytes.
|
|
||||||
func generateBytes(n int) ([]byte, error) {
|
|
||||||
b := make([]byte, n)
|
|
||||||
_, err := rand.Read(b)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return b, nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ func initSession(app *App) *sessions.CookieStore {
|
||||||
gob.Register(&User{})
|
gob.Register(&User{})
|
||||||
|
|
||||||
// Create the cookie store
|
// Create the cookie store
|
||||||
store := sessions.NewCookieStore(app.keys.cookieAuthKey, app.keys.cookieKey)
|
store := sessions.NewCookieStore(app.keys.CookieAuthKey, app.keys.CookieKey)
|
||||||
store.Options = &sessions.Options{
|
store.Options = &sessions.Options{
|
||||||
Path: "/",
|
Path: "/",
|
||||||
MaxAge: sessionLength,
|
MaxAge: sessionLength,
|
||||||
|
|
5
users.go
5
users.go
|
@ -16,6 +16,7 @@ import (
|
||||||
"github.com/guregu/null/zero"
|
"github.com/guregu/null/zero"
|
||||||
"github.com/writeas/web-core/data"
|
"github.com/writeas/web-core/data"
|
||||||
"github.com/writeas/web-core/log"
|
"github.com/writeas/web-core/log"
|
||||||
|
"github.com/writeas/writefreely/key"
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -79,13 +80,13 @@ type (
|
||||||
|
|
||||||
// EmailClear decrypts and returns the user's email, caching it in the user
|
// EmailClear decrypts and returns the user's email, caching it in the user
|
||||||
// object.
|
// object.
|
||||||
func (u *User) EmailClear(keys *Keychain) string {
|
func (u *User) EmailClear(keys *key.Keychain) string {
|
||||||
if u.clearEmail != "" {
|
if u.clearEmail != "" {
|
||||||
return u.clearEmail
|
return u.clearEmail
|
||||||
}
|
}
|
||||||
|
|
||||||
if u.Email.Valid && u.Email.String != "" {
|
if u.Email.Valid && u.Email.String != "" {
|
||||||
email, err := data.Decrypt(keys.emailKey, []byte(u.Email.String))
|
email, err := data.Decrypt(keys.EmailKey, []byte(u.Email.String))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Error decrypting user email: %v", err)
|
log.Error("Error decrypting user email: %v", err)
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in New Issue